{"id":349,"date":"2026-03-23T07:34:59","date_gmt":"2026-03-23T07:34:59","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=349"},"modified":"2026-03-23T07:34:59","modified_gmt":"2026-03-23T07:34:59","slug":"hackers-exploit-cve-2025-32975-cvss-10-0-to-hijack-unpatched-quest-kace-sma-systems","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=349","title":{"rendered":"Hackers Exploit CVE-2025-32975 (CVSS 10.0) to Hijack Unpatched Quest KACE SMA Systems"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Mar 23, 2026<\/span><\/span>Vulnerability \/ Endpoint Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Threat actors are suspected to be exploiting a maximum-severity security flaw impacting Quest KACE Systems Management Appliance (SMA), according to Arctic Wolf.<\/p>\n

The cybersecurity company said<\/a> it observed malicious activity starting the week of March 9, 2026, in customer environments that’s consistent with the exploitation of CVE-2025-32975<\/a> on unpatched SMA systems exposed to the internet. It’s currently not known what the end goals of the attack are.<\/p>\n

CVE-2025-32975 (CVSS score: 10.0) refers to an authentication bypass vulnerability<\/a> that allows attackers to impersonate legitimate users without valid credentials. Successful exploitation of the flaw could facilitate the complete takeover of administrative accounts. The issue was patched by Quest in May 2025.<\/p>\n

In the malicious activity detected by Arctic Wolf, threat actors are believed to have weaponized the vulnerability to seize control of administrative accounts and execute remote commands to drop Base64-encoded payloads from an external server (216.126.225[.]156) via the curl command.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The unknown attackers then proceeded to create additional administrative accounts via \u00abrunkbot.exe<\/a>,\u00bb a background process associated with the SMA Agent that’s used to run scripts and manage installations. Also detected were Windows Registry modifications via a PowerShell script for possible persistence or system configuration changes.<\/p>\n

Other actions undertaken by the threat actors are listed below –<\/p>\n